[Snort-users] Difference between rule classification and rule priority?

Martin Holste mcholste at ...11827...
Thu Apr 28 11:30:32 EDT 2011


I find both classification and priority to be all but useless in their
current forms.  Classification is going to get an overhaul shortly,
which will definitely improve its usefulness.  Priority is so
subjective and context-dependent that it is tactically unhelpful.
There may be rare cases in which it is a helpful indicator, but I have
yet to see one.

I have yet to be told why message tags (essentially an array of
classifications) have not been implemented as it would solve many
issues and provide much more inherent context for analysts.

In short, I would pay far more attention to the references in the rule
than the priority or classification.  You need to understand why the
rule fired and make your own decision regarding what the consequences
are for your org.  You will need tools to do that.  At a minimum, run
daemonlogger to collect network traffic and get netflow from routers
for sessions.  Alternatively, run sancp to do both.  It will be more
than worth the initial setup time.

On Thu, Apr 28, 2011 at 9:38 AM, Andy Berryman <aberryman at ...14758...> wrote:
> I asked on the google groups with no answer, so I’m asking here. But I
> thought the two were combined.
>
>
>
> If the rule classifications are 1-4, with 1 being the highest (omg omg
>
> omg) and 4 being the lowest (eh, who cares)
>
>
>
> But the priority that you can set in the rules can be a priority 10
>
> for instance. What level would that be?
>
>
>
> Would the higher the "priority" be like the lower the classtype?
>
>
>
> Thanks,
>
> Andy
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list